Daily Drop (1145)
10-01-25
Wednesday, Oct 01, 2025 // (IG): BB // GITHUB // SN R&D
Patchwork APT Abuses PowerShell & Scheduled Tasks in New Espionage Campaign
Bottom Line Up Front (BLUF): Patchwork APT—also known as Dropping Elephant or Monsoon—has launched a new malware campaign leveraging PowerShell scripts and Windows Scheduled Tasks to establish persistence and exfiltrate sensitive data. The group, historically focused on South and Southeast Asia, is now deploying a multi-stage .NET-based loader that communicates with a stealthy C2 infrastructure via TLS-encrypted POST traffic, with strong obfuscation and in-memory execution to evade detection.
Analyst Comments: This campaign reinforces what we already know about Patchwork: they don’t innovate so much as adapt, but they do it well. Abusing Scheduled Tasks for persistence isn’t new—but layering it with living-off-the-land tactics, multiple rounds of XOR/Base64 encoding, and custom evasion logic like Protean and Scourgify makes this a challenge for defenders relying solely on signature-based detection. The malware’s modularity, stealth-focused exfiltration, and use of decoy files suggest targeted espionage, not opportunistic crime. While Patchwork is often dismissed as lower-tier than other APTs, this toolset shows evolving tradecraft and renewed focus on staying resident in compromised systems without burning custom exploits.
READ THE STORY: GBhackers
CISA Orders Emergency Patching of Actively Exploited Fortra GoAnywhere 0-Day
Bottom Line Up Front (BLUF): CISA has added CVE-2025-10035 — a critical vulnerability in Fortra’s GoAnywhere MFT — to its Known Exploited Vulnerabilities (KEV) list and ordered all U.S. federal civilian agencies to patch by October 20. The bug, which received a CVSS score of 10.0, allows unauthorized remote access when the admin console is exposed to the internet. Multiple researchers say exploitation began as early as September 10, though Fortra has yet to confirm in-the-wild attacks.
Analyst Comments: You’re already late if you’re running GoAnywhere MFT and the admin console is exposed to the internet. This isn’t a theoretical risk—independent researchers, including watchTowr, have credible evidence of active exploitation since early September. The silence from Fortra is deafening, especially given the product’s history—the Clop ransomware gang weaponized CVE-2023-0669 to compromise over 130 orgs just two years ago. That playbook is back. With a CVSS 10.0 rating and federal agencies scrambling, the risk is clear: exposure means compromise. Enterprises must treat this as an incident containment issue, not just a patching exercise.
READ THE STORY: The Record
Actively Exploited Cisco ASA/FTD 0-Days Hit Over 48,000 Devices Worldwide
Bottom Line Up Front (BLUF): Cisco has confirmed two zero-day vulnerabilities—CVE-2025-20333 and CVE-2025-20362—affecting ASA and FTD firewalls. Both flaws are actively exploited and allow remote code execution or privilege escalation. As of late September, over 48,000 internet-facing firewalls remain vulnerable. Cisco has issued urgent patches, and security teams are urged to apply them immediately to avoid full perimeter compromise.
Analyst Comments: This is as bad as it gets for a perimeter device. Cisco ASA and FTD firewalls sit at the front door of thousands of organizations, and now attackers are walking right in—no need to phish users or find lateral paths. CVE-2025-20333 is particularly dangerous, enabling complete remote code execution with just network access to the management interface. Shadowserver’s telemetry showing tens of thousands of exposed IPs is a red flag, especially given how slowly firewalls tend to get patched in SMB environments. If you’re running anything pre-9.18.1.18, assume compromise is a matter of time. Expect ransomware crews and APTs alike to seize on this.
READ THE STORY: GBhackers
Afghanistan Plunges Into Full Internet Blackout, Halting Services and Isolating Millions
Bottom Line Up Front (BLUF): Afghanistan has entered a nationwide telecommunications blackout, cutting internet and phone access across all provinces. Multiple internet monitoring firms confirmed that the shutdown began late Monday and has disrupted essential systems, including air travel, healthcare, banking, and international communication. The Taliban government has not issued an official explanation, raising concerns from humanitarian organizations and foreign governments.
Analyst Comments: This is more than a communications outage—a digital siege. The Taliban’s decision to cut internet access nationwide in the wake of earlier regional restrictions suggests a deliberate move to suppress dissent, control information flow, or respond to internal instability. It also cripples humanitarian operations amid concurrent earthquakes and mass refugee returns. From a cybersecurity and risk perspective, a full blackout isolates the population and signals the regime’s willingness to weaponize digital infrastructure for political control. This highlights a worst-case scenario in continuity planning for foreign entities operating in or near Afghanistan—including NGOs, airlines, and international aid groups. Secure alternatives like satellite links and radio comms should be considered essential, not optional.
READ THE STORY: The Record
Hackers Probe Critical Palo Alto GlobalProtect Vulnerability (CVE-2024-3400) Amid Surge in Exploit Scanning
Bottom Line Up Front (BLUF): Threat actors actively scan for vulnerable Palo Alto Networks firewalls affected by CVE-2024-3400, a critical GlobalProtect flaw (CVSS 10.0) that enables arbitrary file creation and OS command injection. Although widespread exploitation hasn’t yet been confirmed, proof-of-concept (PoC) code is public, and exploitation is trivial—no authentication is required. All exposed PAN-OS instances not running recent hotfixes are at risk of full compromise.
Analyst Comments: This is a perimeter RCE with zero user interaction—the kind of bug threat actors automate quickly. The scanning has begun, and it’s only a matter of time before botnets and ransomware groups move from probing to widespread exploitation. The attack path is straightforward: force a file write via hipreport.confirm via HTTP response codes, then pivot to code execution. PAN firewalls are often overlooked in patching cycles, especially in mid-sized orgs. If you’re still on vulnerable versions, patch now or assume exposure. The attack doesn’t even need valid credentials. Think proxylogon-class urgency, but targeting your firewall.
READ THE STORY: GBhackers
Hacker Exploits Citrix Flaw to Breach FEMA, CBP; Employee Data Stolen, 23 Fired Amid Suspected China Ties
Bottom Line Up Front (BLUF): Between June and August 2025, a hacker exploited a known Citrix vulnerability to infiltrate FEMA and CBP networks, exfiltrating sensitive employee data. The breach prompted DHS to fire 23 FEMA staff for negligence and triggered speculation of Chinese state involvement, given parallels to past Beijing-linked espionage campaigns.
Analyst Comments: The combination of Citrix exposure, weak MFA enforcement, and credential theft shows persistent gaps in DHS cyber hygiene despite repeated CISA warnings. The fact that attackers maintained long-term persistence across FEMA and CBP networks raises concerns about what else could have been accessed beyond employee records. Attribution remains murky, but the tactics—credential abuse, months-long dwell time, exfiltration of PII—mirror campaigns attributed to PRC groups like Salt Typhoon. Beyond the technical lapse, the firings underscore a political push for accountability, but without structural reforms in patch management and zero-trust adoption, DHS remains a soft target.
READ THE STORY: WPN
Google Gemini AI Flaws Allowed Stealthy Data and Location Theft, Researchers Warn
Bottom Line Up Front (BLUF): Security researchers from Tenable have disclosed three critical vulnerabilities in Google’s Gemini AI assistant suite—dubbed the “Gemini Trifecta”—that could have enabled attackers to steal users’ saved data and live location. The flaws affected Gemini’s Cloud Assist, Search Personalization, and Browsing Tool components. Google has since patched all three, but the incident highlights how prompt injection and indirect input manipulation can turn advanced AI systems into stealthy exfiltration tools.
Analyst Comments: These weren’t zero-day exploits in the OS or browser—they were logic-level abuses of AI functionality. The “Gemini Trifecta” shows how adversaries can inject malicious prompts into log files, search histories, and URLs to trick the AI into doing their bidding—from pulling sensitive data to forwarding it to attacker-controlled domains. This bypasses most security tools looking for code execution or malware behavior. Expect attackers to pivot more heavily to prompt engineering and data-layer manipulation as AI integration deepens across enterprise tooling.
READ THE STORY: GBhackers
New China-Linked Espionage Group ‘Phantom Taurus’ Uncovered Targeting Diplomats, Telecoms, and Foreign Ministries
Bottom Line Up Front (BLUF): Palo Alto Networks’ Unit 42 has identified a previously undocumented China-linked APT group dubbed Phantom Taurus, responsible for stealthy espionage campaigns across the Middle East, Africa, and Asia. The group has exfiltrated sensitive data from embassies, telecoms, and ministries of foreign affairs, leveraging a custom malware suite called NET-STAR to maintain persistent, covert access. The group’s operations align with Beijing’s geopolitical intelligence goals.
Analyst Comments: Phantom Taurus is a textbook example of how China’s cyber espionage machine continues to evolve in both scope and stealth. Unlike well-known APTs reusing tooling or TTPs, this group has bespoke implants, advanced in-memory techniques, and a low-and-slow exfiltration model tailored for long-term intelligence collection. Notably, initial access is often mundane—unpatched internet-facing servers—proving again that elite ops don’t need fancy zero-days when basic hygiene fails. Expect broader attribution efforts soon, and potential overlaps with telecom-focused targeting in groups like Gallium and Mustang Panda.
READ THE STORY: CS
China’s Cyber and Strategic Encroachment on Israel and Its Allies Comes Into Focus
Bottom Line Up Front (BLUF): A growing body of intelligence and analysis points to a coordinated Chinese effort to undermine Israel’s strategic posture through cyber penetration, indirect support for terrorist proxies, economic leverage, and infrastructure access. In a widely shared op-ed, Israeli security analyst Shay Gal outlines Beijing’s financial and technological role in bolstering Iran, Hamas, and Hezbollah, while simultaneously embedding itself in Israeli ports and networks. The convergence of cyber activity, physical infrastructure access, and geopolitical alignment reveals a more immediate threat than previously acknowledged.
Analyst Comments: This is no longer just about Huawei routers or port leases—it’s about the intersection of cyber, supply chains, and national defense. Gal’s framing is blunt but grounded in a disturbing trend: China provides the tech and money to fuel regional threats while penetrating the same countries’ digital and physical infrastructure. Israel’s decisions to block Huawei 5G, deny Chinese desalination contracts, and restrict Chinese vehicles from military zones are tactical responses. What’s missing is a strategic doctrine to address Chinese hybrid influence holistically—across cyber, commercial, and diplomatic fronts. With Beijing hosting Hamas and funneling oil cash to Iran, the line between economic partner and strategic adversary is vanishing. Western democracies should pay attention.
READ THE STORY: The Times If Israel
Denmark Warns: Russian Hybrid Warfare “Only the Beginning,” Calls for Stronger NATO Response
Bottom Line Up Front (BLUF): Danish Prime Minister Mette Frederiksen warned that Russia’s escalating hybrid warfare campaign—ranging from drone intrusions and cyber attacks to sabotage—is “only the beginning,” urging NATO and the EU to strengthen both military posture and public awareness. The comments follow a series of unexplained drone sightings over Danish airports and military sites, part of a broader pattern of Russian provocations across Europe.
Analyst Comments: Frederiksen’s remarks aren’t just political posturing—they reflect a growing realization across Europe that the line between peacetime and conflict is fading fast. Hybrid threats like drones, cyber attacks, and undersea cable sabotage allow Moscow to apply pressure without triggering NATO’s Article 5. While Denmark’s drone incursions remain unattributed, the operational tempo matches known Russian tactics: deniability, provocation, and division. The proposed “drone wall” and broader anti-hybrid defenses are welcome, but unless Europe accelerates integrated response planning—especially among eastern and northern states—Russia will keep exploiting the seams. Notably, U.S. tensions over Greenland and Trump-era unpredictability add another axis of uncertainty for Danish security planners.
READ THE STORY: FT
U.S. Army Partners with Draganfly to Bring FPV Drone Manufacturing to the Front Lines
Bottom Line Up Front (BLUF): The U.S. Army has contracted Draganfly Inc. to supply Flex FPV drones and set up forward-deployed manufacturing facilities within overseas military bases. This marks a shift from centralized defense procurement toward embedded production, aimed at accelerating deployment cycles, reducing supply chain risks, and adapting rapidly to evolving battlefield needs.
Analyst Comments: This isn’t just another defense contract—it’s a strategic pivot. The Army is signaling that traditional procurement is too slow for modern drone warfare. Building FPV drones in-theater collapses logistics timelines and mirrors successful tactics already used in Ukraine. The Flex system is secondary to the model it supports: distributed manufacturing, iterative design, and embedded training. That’s what matters here. Expect to see other branches—and allied forces—experiment with similar setups, especially in contested or resource-limited environments. The question now: can this scale sustainably, or will it remain a niche tool for elite units and exercises?
READ THE STORY: DRONEXL
Russia Quietly Equips Chinese Airborne Forces Amid Taiwan Invasion Prep
Bottom Line Up Front (BLUF): Leaked documents verified by independent sources reveal that Russia is supplying military equipment and training to China’s airborne forces, explicitly to support a potential Taiwan invasion by 2027. The deal includes BMD-4M vehicles, Sprut anti-tank guns, and joint airborne exercises. While this deepens China’s airborne modernization, analysts note enduring capability gaps—and suggest Moscow may not fully support an actual war over Taiwan.
Analyst Comments: This is a significant shift. Russia’s quiet support for China’s airborne corps—arguably the weakest link in a Taiwan invasion—shows growing military-technical alignment. But there’s a catch: training a battalion and handing over a few dozen IFVs doesn’t erase core limitations in airlift, survivability, or logistics. More telling is Russia’s possible strategic hedging. Beijing may see the move as support; Moscow may see it as leverage. As with Ukraine, airborne forces are high-risk, high-failure tools in contested environments. Taiwan’s dense air defenses, contested airspace, and prepared ground units still pose a massive hurdle.
READ THE STORY: Asia Times
Ukraine Deploys Drone Defense Experts to Denmark Amid Plans for EU “Drone Wall”
Bottom Line Up Front (BLUF): Ukraine has dispatched a military team to Denmark to begin sharing combat-proven drone defense tactics with European partners, President Volodymyr Zelenskyy announced Tuesday. The deployment comes as Denmark and other EU nations plan a joint “drone wall” along their borders with Russia and Ukraine to counter escalating airspace violations. Ukraine’s drone warfare experience—sharpened over three years of conflict with Russia—is now seen as a strategic asset by NATO and EU defense planners.
Analyst Comments: No military in Europe has more real-world experience countering Russian drone threats than Ukraine, which has faced relentless strikes from Shahed drones, Lancets, and loitering munitions. By embedding its experts in Denmark, Kyiv is exporting tactics, technical doctrine, sensor fusion strategies, and counter-UAS workflows that many Western militaries lack. This move also signals that Europe is shifting from a passive drone defense posture to a layered, integrated, and forward-looking model. Expect the Danish deployment to become a template for future Ukrainian defense missions across the EU.
READ THE STORY: abcNEWS
US Activates Reaper Drone Squadron in South Korea, Extending ISR Reach Toward China and Taiwan
Bottom Line Up Front (BLUF): The U.S. Air Force has permanently stationed MQ-9 Reaper drones in South Korea by reactivating the 431st Expeditionary Reconnaissance Squadron at Kunsan Air Base. Located just 250 miles from China, the squadron extends U.S. surveillance and strike capabilities deep into the East China Sea, Taiwan Strait, and North Korean territory—underscoring Washington’s growing focus on integrated intelligence, surveillance, and reconnaissance (ISR) across the Indo-Pacific.
Analyst Comments: This isn’t just about Korea—this is about China. The Reapers’ range puts Chinese military assets within persistent ISR reach in the Bohai Sea, Taiwan Strait, and East China Sea. While the U.S. already flies drones in the region, forward-deploying them to Kunsan changes the game: reduced response time, increased sortie rates, and permanent overwatch in contested zones. With tensions escalating—especially after Kim Jong Un’s recent joint parade with Xi Jinping—this move is a clear signal to Beijing and Pyongyang. Future drone deployments should be integrated with U.S.-ROK joint targeting and early warning frameworks.
READ THE STORY: OODALOOP // NEWSWEEK
China Executes Crackdown: 16 Members of Myanmar Scam Syndicate Sentenced to Death
Bottom Line Up Front (BLUF): A Chinese court has sentenced 16 members of the powerful Ming crime family to death for running large-scale cyber scam compounds in Myanmar’s Kokang region, near the Chinese border. The scam operations, which targeted Chinese citizens and involved forced labor, murder, and human trafficking, caused financial losses exceeding $1.4 billion. The ruling marks China’s most forceful action against transnational cybercrime in Southeast Asia.
Analyst Comments: This verdict is Beijing drawing a line: scams that prey on Chinese nationals—even from foreign territory—won’t be tolerated. The Ming syndicate wasn’t just a fraud ring; it operated with state-like authority, leveraging ties to Myanmar’s junta-backed militias. The message here is twofold: China is asserting its jurisdiction beyond its borders, and it’s willing to make examples of influential figures to contain the growing cyber scam epidemic bleeding billions from Chinese users. Still, while the Ming group may be neutralized, similar scam parks across Myanmar and Cambodia remain operational. Without pressure on the root enabler—the Myanmar military—these prosecutions may amount to cutting heads off a hydra.
READ THE STORY: OCCRP
China Mandates One-Hour Breach Reporting for Critical Infrastructure Operators
Bottom Line Up Front (BLUF): Starting November 1, 2025, China will require critical infrastructure operators to report major cybersecurity incidents within 60 minutes—and in some cases, as fast as 30 minutes—under new rules issued by the Cyberspace Administration of China (CAC). The aggressive timeline reflects Beijing’s push to harden its domestic networks amid escalating global cyber tensions and increased attacks from and against Chinese-linked threat actors.
Analyst Comments: China just flipped the breach disclosure script. While Western nations often allow 72 hours for incident reporting, Beijing demands that critical network operators alert authorities in under an hour. This isn’t just about faster containment—it’s about control. With the state directly involved in the response, Chinese authorities can shape investigations in real time, increasing pressure on private operators who may not be equipped to comply. The move follows the exposure of China-linked threat group Salt Typhoon and marks a shift from offense to defense in Beijing’s cyber posture. Whether this pace is feasible or merely performative remains to be seen.
READ THE STORY: DR
China’s Tianwen-2 Probe Sends Back Deep-Space Selfie With Earth
Bottom Line Up Front (BLUF): China’s Tianwen-2 asteroid mission has transmitted its first significant milestone image: a deep-space selfie showing the probe, its return capsule, and Earth in the distant background. Now 43 million kilometers from Earth, the mission is progressing as planned, with all systems functioning and science instruments beginning data collection.
Analyst Comments: China is signaling both technical capability and long-term ambition here. Capturing and releasing a polished image like this isn’t just PR—it’s a way of asserting presence in deep space. With Tianwen-2 aiming to return samples from asteroid 2016HO3 and later study main-belt comet 311P, Beijing is positioning itself for leadership in small-body planetary science. The robotic arm, successful deployment of sampling systems, and extended mission duration all mirror lessons from Japan’s Hayabusa2 and NASA’s OSIRIS-REx, but with Chinese characteristics. Expect future missions to layer on complexity—possibly including lunar south pole resource extraction and Mars sample return.
READ THE STORY: Xinhua (STATE SPONSORED)
Items of interest
CISA 2015 and State Cyber Grants at Risk as Congress Fails to Extend Cyber Authorities
Bottom Line Up Front (BLUF): Two pillars of U.S. federal cybersecurity policy—the Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program—are set to expire on October 1 due to congressional gridlock. With no reauthorization or funding deal reached, legal protections for sharing cyber threat intelligence and $1 billion in cybersecurity grants will lapse, undermining efforts to defend critical infrastructure and state networks against nation-state and criminal actors.
Analyst Comments: This isn’t just bureaucratic drama—it’s a real operational setback. CISA 2015 underpins trusted threat intelligence flows between the private sector and government. Legal liability concerns will chill disclosure if it lapses, especially from companies without large legal teams. Meanwhile, the state grant program has been a lifeline for under-resourced counties, water utilities, schools, and rural hospitals. As ransomware and APT activity surge, pulling funding and removing legal shields for sharing threat data is an open invitation for adversaries—particularly China, Russia, and Iran—to exploit domestic gaps. The politics may resolve, but the security vacuum is immediate.
READ THE STORY: The Record
Countering Ransomware, CISA 2015, and Active Cyber Defense with Cynthia Kaiser (Video)
FROM THE MEDIA: Ransomware, espionage, and nation-state cyber threats are colliding in dangerous new ways. In this episode of Cyber Focus, host Frank Cilluffo sits down with Cynthia Kaiser, senior vice president at Halcyon and former deputy assistant director for cyber at the FBI.
Reauthorizing CISA 2015: Strengthening Public-Private Partnerships for a Secure Nation (Video)
FROM THE MEDIA: This ICIT virtual briefing will examine reauthorizing the Cybersecurity Information Sharing Act (CISA) of 2015, focusing on enhancing cyber threat information sharing, addressing legal and policy barriers, and fortifying national cyber defense. Participants will gain insights into the law’s original intent, its impact over the past decade, and bipartisan strategies to modernize cybersecurity legislation amid growing concerns over state-sponsored threats and evolving digital risks—ultimately highlighting how government and industry can better protect the nation’s critical infrastructure.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.